Method for controlling the sequence of trains during traffic control

ABSTRACT

The invention relates to a method for controlling the sequence of trains during traffic control, whereby a telephone communication between a traffic controller in a traffic control centre and a driver is carried out. In order to increase security during telephone communication, the traffic controller transmits a driving permit to the driver, in addition to a test code which is specific to the driving permit and determined by a traffic control computer, and the driver inputs the driving permit and the test code into a vehicle appliance which calculates the test code according to the same algorithm as the traffic control computer, and compares the calculated test code with the inputted test code. The driving permit is authenticated only if the two codes correspond.

The invention relates to a method for controlling the sequence of trainsduring traffic control, as claimed in the precharacterizing clause ofclaim 1, and to an apparatus relating to this as claimed in theprecharacterizing clause of claim 3.

On sections with a small amount of traffic, the sequence of trains isfrequently controlled using traffic control. In this case, the traincontroller controls train movements and shunting operations on anassociated train control section with train running messages and othermessages. The train controller maintains a train logbook, in which theoperating state of the train control section are entered, that is to saythe movement permissions which are transmitted by telephone to thelocomotive engineers in order to move on the train control section.Owing to the lack of technical protection, only low speeds arepermissible in traffic control in particular up to 60 km per hour and,if specific preconditions are satisfied, up to 80 km per hour. Trainrunning tracking is carried out in traffic management only in the formof the train logbook, which is maintained in a handwritten form. Nocomputer-aided train running data is available for linking to otherinformation and disposition systems.

The invention is based on the object of overcoming these disadvantagesand of specifying a method of the type mentioned initially which allowsa safety supplement to traffic control, with little technicalcomplexity.

The object is achieved by the characterizing features of claim 1. Theintroduction of the checking code which is specific to the movementpermission technically precludes the transmission of a movementpermission for which the safety preconditions are not satisfied.Furthermore, compliance with the movement permission is monitoredtechnically on the locomotive. The checking code guarantees technicalprotection of the telephone communication, thus ensuring that the traincontroller cannot grant movement permission which he has not previouslychecked for permissibility by an input in the train control computer,and also that the locomotive engineer does not receive confirmation formovement permission when he enters movement permission which he has notpreviously received, or has not received in this form, in the vehicleappliance. The checking code is calculated from the data for the currentoperating situation by means of an algorithm which cannot be coped withmanually. In this case, it is, of course, necessary to ensure that thechecking codes cannot be repeated with a regularity which can beunderstood. The improvement in safety associated with this allowsapproval for speeds of up to 100 km/h.

The train controller has a train control computer in the train controlcenter in which—instead of or in addition to the train logbook—all trainrunning messages are entered and in which there is thus a databaserelating to the current operating situation on the train control sectionall the time. Every movement permission must be entered in the traincontrol computer before being transmitted by telephone to the locomotiveengineer. The input can be made in the most effective manner, in asimilar manner to that for routing, by definition of the start anddestination. The train control computer carries out a permissibilitycheck and rejects the movement permission in the event of asafety-critical conflict. The train control computer does not determineany checking code for a rejected movement permission.

There is a single vehicle appliance onboard the locomotive. The movementpermission which is transmitted by telephone from the train controllerto the locomotive engineer is entered in the vehicle appliance togetherwith the checking code by the locomotive engineer. The vehicle appliancechecks the correctness of the entered movement permission, and comparesthe movement destination with the current train location. If there areno objections to the movement permission, this is indicated on thevehicle appliance display as a valid movement permission, otherwise thevehicle appliance rejects it. On reaching the movement permissionboundary, that is to say the movement destination, for which themovement permission was granted, the locomotive engineer is instructedby an indication, and possibly by an audible signal, to obtain a newmovement permission. If the movement permission boundary is crossed, awarning signal is produced demanding that the locomotive engineer stopimmediately.

When the locomotive engineer enters the movement permission (which isbeing transmitted by telephone by the train controller) in the vehicleappliance, the checking code which is likewise transmitted must also beentered. The vehicle appliance uses the same algorithm as the traincontrol computer to calculate the checking code for every movementpermission that is entered, and compares this with the checking codeentered by the locomotive engineer. If the manually entered checkingcode does not match the calculated checking code, the movementpermission is rejected. Since the locomotive engineer cannot determinethe checking code himself and is thus instructed to enter a validmovement permission in response to the transmission of the checking codeby the train controller, it is impossible for an incorrectly enteredmovement permission whose permissibility has not already been checked inthe train control center and for which there is thus a checking code toobtain confirmation of this movement permission, that is to say a validmovement permission.

As is claimed in claim 2, a similar safety process is also provided forthe transmission of a train running message from the locomotive engineerto the train controller. Before emission of the train running message,which is intended for producing the safety release of track sections infront, this message is first of all entered by the locomotive engineerin the vehicle appliance, which calculates the associated checking code.The locomotive engineer then transmits the train running messagetogether with the checking code to the train controller, who enters bothdata records in the train control computer. The train control computeruses the same algorithm as the vehicle appliance to calculate thechecking code for each entered train running message, and compares thiswith the manually entered checking code. If the entered checking codedoes not match the calculated checking code, the train running messageis rejected. Since the train controller cannot determine the checkingcode himself and is thus instructed to enter a valid train runningmessage in response to the transmission of the checking code by thelocomotive engineer, it is impossible for an associated track section tobe released erroneously.

The transmission of a train running message from a local train stationmovement manager to the train controller would likewise have to beprovided, if required, in a similar manner.

According to claim 3, the following components are required as majoritems for an apparatus for carrying out the method:

-   -   a train control computer in the train control center for        permissibility checking and for calculation of the checking code    -   a communication device between the train control center and the        locomotive, as well as    -   a vehicle appliance for calculation of the checking code which        is specific to the movement permission, and having a comparison        device for comparison of the manually entered checking code with        the calculated checking code.

Only a relatively small number of new infrastructure components aretherefore required for sections on which there is little traffic.Communication in this case takes place via the existing communicationtechnique. An improvement in safety is also obtained by not equippingall of the locomotives with the vehicle appliance. Although there may becertain operational restrictions, in particular with regard to speedrestrictions, there is, however, no need for any complex technicaladditional devices in the train control center.

According to claim 4, the train control computer is preferably acomputer which is safe for signaling purposes and has history functions.This solution which is safe for signaling purposes is the only way tomake it possible to dispense with the management of the handwrittentrain logbook for traffic control. In order to allow operation tocontinue using a handwritten train logbook in the event of failure ofthe train control computer, the train control computer must have aprotected history function, from which the operating situation thatexisted immediately before the failure together with all the trainlocations and the movement permissions that have been granted can becalled up and can be transmitted to the train logbook.

The choice of a solution which is safe for signaling purposes would alsoallow the train control computer to be integrated in the controlinterface for electronic control systems. It would thus be possible tocontrol not only sections controlled by the control system but alsotrain control sections from one user interface. The database for thetrain control computer also allows linking to disposition systems, thatis to say it is also possible to integrate regional networks in thedisposition of sections controlled by a control system and train controlsections in a system, even in the operational control centers.

According to one preferred embodiment, which is characterized in claim5, the vehicle appliance is in the form of a computer which is not safefor signaling purposes but has a history function. The vehicle computerdoes not grant the locomotive engineer direct clearance to move, but hasonly a restrictive effect on operation when faults are found. Failure ofthe vehicle appliance on its own cannot lead to any hazard. An incorrectaction by the locomotive engineer must always take place for this tooccur. In consequence, it is sufficient to use a solution which is notsafe for signaling purposes and is thus technically less complex.Nevertheless, it should be possible to record all indications and inputsof the vehicle appliance for subsequent evaluation processes by means ofhistory functions, in the event of irregularities.

If local train station movement managers are equipped with computers forcalculation of the checking codes, similar requirements apply to thosefor the vehicle appliances. However, these computers may possibly notneed any protected history function.

The invention will be explained in more detail in the following textwith reference to illustrations in the form of figures, in which:

FIG. 1 shows a schematic illustration relating to the transmission ofmovement permission from a train controller to a locomotive engineer,and

FIG. 2 shows a schematic illustration relating to the transmission of atrain running message from the locomotive engineer to the traincontroller.

FIG. 1 shows the procedure used by a control center to grant movementpermission to a vehicle. Once a train controller in the control centerhas received a movement request, transmitted by telephone from a vehicleengineer, the train controller enters an appropriate movement permissionin a train computer. This uses the occupancy status of the requestedtrack section to check the permissibility of the movement permission,and calculates a checking code which is specific for that movementpermission. The movement permission is then stored in a history file inthe train control computer, and is quasi-granted, together with thechecking code, on a train control computer screen display. This movementpermission is transmitted by the train controller together with thechecking code by telephone to the vehicle engineer. The vehicle engineerenters the movement permission and the checking code in a vehicleappliance, which carries out a plausibility check, in particularrelating to the current vehicle position and destination, and determinesthe checking code on a permission specific basis analogously to thetrain control computer. Once this has been done, the movement permissionis stored in a history file in the vehicle appliance, and is displayedas a valid movement permission.

The calculation of the checking code may include, in particular, detailsrelating to the date, train number and destination of the movementpermission.

This results in a safety level being achieved which is comparable tothat for train sequence protection on sections with a section blockwhich is not autonomous, without any train influence. Step-by-stepimplementation is also possible, by restricting the protection of thetransmission of messages to the granting of the movement permission asshown in FIG. 1. The largest safety gap in traffic control is thusclosed just by prevention of impermissible departure without anymovement permission.

FIG. 2 shows the procedure for the train running message from thevehicle engineer to the control center. If the vehicle has reached oneof possibly a number of train running signaling points within a traincontrol section for which that control center is responsible, the traincompleteness is first of all checked, and is entered in the vehiclecomputer. This calculates the checking code, which is also stored in thehistory file. The checking code is displayed and is transmitted togetherwith the train running message by telephone to the train controller inthe control center. The train running message and checking code areentered in the train control computer, which carries out a plausibilitycheck, likewise calculates the checking code, and compares this with themanually entered checking code. The track sections to be released arethen defined and are entered in the history file. The screen displayconfirms the correctness of the train running message or, ifappropriate, signals a fault state.

The calculation of the checking code for the train running message may,in particular, include the date, the train number, the nature of thetrain running message and the current train running signaling point.

The invention is not restricted to the exemplary embodiments describedabove. In fact, a number of variants are feasible, which also make useof features of the invention, while being implemented in fundamentallydifferent forms.

1. A method for controlling the sequence of trains during trafficcontrol, with communication taking place between a train controller in atrain control center and a locomotive engineer, wherein the traincontroller transmits movement permission to the locomotive engineer anda movement-permission-specific checking code, which is determined by atrain control computer, and the locomotive engineer enters the movementpermission and the checking code in a vehicle appliance which uses thesame algorithm as the train control computer to calculate the checkingcode, and compares the calculated checking code with the enteredchecking code, with the movement permission being confirmed only in theevent of a match, and rejection of the movement permission beingsignaled if there is no match; and wherein the locomotive engineertransmits to the train controller a train running message, which isrequired in order to release a track section, and a checking code whichis determined by the vehicle appliance and is specific to the trainrunning message, and the train controller enters the train runningmessage and the checking code in the train control computer, which usesthe same algorithm as the vehicle appliance to calculate the checkingcode and compares the calculated checking code with the entered checkingcode, and the track section is released only in the event of a match. 2.An apparatus for carrying out the method as claimed in claim 1, whereina train control computer which is arranged in the train control centerand has a checking apparatus for permissibility checking of movementpermission which can be entered manually for a train control section onthe basis of the current operating situation on this train controlsection, in which case a calculation device for calculation of achecking code which is specific to the movement permission can beactivated only if the movement permission is permissible, acommunication device for telephone transmission of the movementpermission and of the checking code to the locomotive engineer, and avehicle appliance which is arranged on the locomotive and has a locationdevice, the calculation device for calculation of the checking codewhich is specific to the movement permission and a comparison device forcomparison of the calculated checking code with the checking code whichwas transmitted by telephone and can be entered manually together withthe movement permission, with a display being provided for visualizationof the comparison results.
 3. The apparatus as claimed in claim 2,wherein the train control computer is a computer which is safe forsignaling purposes and has a history function.
 4. The apparatus asclaimed in claim 2 wherein the vehicle appliance is a computer which isnot safe for signaling purposes but has a history function.
 5. A methodfor controlling a sequence of trains during traffic control, the methodwhich comprises: determining, with a train control computer using agiven algorithm, a movement-permission-specific checking code;transmitting, from a train controller to a locomotive engineer, amovement permission and the movement-permission-specific checking code;entering the movement permission and the checking code in a vehicleappliance, calculating the checking code in the vehicle appliance withthe given algorithm to form a calculated checking code, and comparingthe calculated checking code with the entered checking code; confirmingthe movement permission only in the event of a match, and signaling arejection of the movement permission if there is no match; andtransmitting a running message and an associated checking code from thelocomotive engineer to the train controller, with the train runningmessage being required in order to release a track section and theassociated checking code being determined by the vehicle appliance andbeing specific to the train running message; entering the train runningmessage and the associated checking code in the train control computer,using the same algorithm as the vehicle appliance to calculate acalculated checking code, and comparing the calculated checking codewith the entered checking code; and releasing the track section only inthe event of a match between the calculated checking code and theentered checking code.